Date: Thu, 7 Feb 2008 07:10:42 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Joomla password hashes On Wed, Feb 06, 2008 at 10:09:17AM -0500, Steve ...... wrote: > Im a little confused.. so I would have to add that below line for line to my > john.conf and run john wait a couple days then modify it again changing it > line by line run john on another hash?.. sounds like a lot of work and time. That's correct - although it's up to you to decide how long to let it run on just one hash - a couple of days sounds excessive to me if you have a lot of hashes. In fact, if you choose to test for just the initial passwords (those not changed by the users), then you'd need just a few seconds per hash. Good news (just kidding): with Joomla on PHP below 5.2.1, there can be at most 1 million different salts, so you wouldn't have to run JtR more than 1 million times even if you have more than 1 million of hashes. ;-) They use the same code to generate initial passwords and salts. (This also means that salts might leak info on initial passwords, reducing the typical search space from 1 million of candidate passwords even further.) This external mode that I posted was primarily a proof-of-concept. For actual use on a large number of hashes, you'd want support for these hashes added to JtR itself. > is it completely pointless to run john on the hash itself leaving out the > salt?.. Yes, it is. Alexander -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.